gewarren
commented
2 years ago Related to #29982.
Open Zastai opened 2 years ago
gewarren
commented
2 years ago Related to #29982.
Zastai
commented
2 years ago Related to #29982.
Only a little - this is specifically not about strong naming but about code signing ("AuthentiCode").
Help us make content visible
Search terms used: "code signing". Results were about strong naming, or .NET API containing "Sign".
Describe the new article
Rationale:
The new article would document the use of code signing in a .NET context.
With .NET Framework, this was easy - you could use the SignFile task in MSBuild to sign your assemblies.
However, that task is apparently intended for ClickOnce only (requires the ClickOnce SDK and runs only on Windows), so it is not usable using just a .NET SDK. The only alternative is to try and determine the location for a
signtool.exe(a tool which sadly does not seem easy to deploy separately) and using it (made harder because a .NET SDK build does not seem to get the Windows SDK-related properties set).So it certainly looks like applying code signing to assembly DLLs is not an intended scenario, given there is a complete lack of support for it in the SDK.
What does seem to be handled by the SDK is signing NuGet packages. That makes it seem like the intended / best practice is to sign the NuGet package and not the individual assemblies.
It would be useful to have an article in the documentation making this clear. Note: this does not necessarily have to be a new article; a section in an existing related article would be fine too, as long as a search for "code signing" then easily finds it.
As for location, that seems less obvious. "Deployment Models" might work given that it also has a page on package creation. But DevOps might also work (given that code signing will typically happen as part of a release pipeline).
Abstract:
The best practices for code signing in a .NET context.
Outline: